Billions to install, now billions to protect

The hacking of the health records of as many as 1 in 3 Americans has awoken the health care industry to an unpleasant reality: After spending billions to install computerized documents in hospitals and networks, it now must spend billions more to make them secure.

The numbers are staggering:

Story Continued Below

· An individual health care record brings up to $50 on the black market, 10 times as much as a stolen credit card number.

· Each hacked record could cost a company around $20 in legal costs and credit protection.

· Hacks already cost the health care industry about $6 billion a year, according to an industry-funded report.

· An estimated $2 billion worth of health-related cyber insurance was sold last year, and the market is growing at 20 to 25 percent a year.

The health care hacks have caught Congress’ eye as well. The House last month passed two bills to increase sharing of cybersecurity threat information among government agencies and industry, including health care. In the Senate, Mark Warner (D-Va.) is developing legislation that requires companies to quickly notify patients when their records are compromised.

Yet legislation won’t end the problem. Health care networks are a juicy target for hackers. No matter what bills Congress passes, no matter how much the industry spends, a health care company can’t be sure it’s safe from the craftiest hackers. Some big name health plans and health systems have been hit — including one Washington-area health plan that covers some lawmakers and federal workers.

“The adversary is way ahead of us right now,” says Jim Nelms, who is the Mayo Clinic’s first chief information security officer and who previously held the same position at the World Bank.

Most major health care companies have already been hacked more than once, according to a cyber industry-funded survey by the Ponemon Institute this month.

The government has helped set up threat-sharing networks for industry. Yet many hospital systems still don’t participate, in part because they can’t afford the additional investments that security experts say are required.

“For a lot of places, it’s spend $1 million a year on uncompensated care, or spend it on security,” says Carl Anderson of the HITRUST Alliance, a clearinghouse for health care cyber protection.

He and other experts compared cybersecurity to spending for a new roof. It’s all cost with no obvious benefits. Yet the risks of doing without it are enormous.

“You might pay for the best tornado-resistant roof and never need it,” he said. “But if all you’ve got is a tarp and a storm comes, you’re going to take a lot of heat for the damage to your house.”

The perception that health care hasn’t done enough about security has led to skyrocketing premium rates for cyber insurance, said Ben Beeson of Lockton, a major global insurance broker who tracks the rapidly growing market.

Yet many in health care finding it difficult to believe they are targets.

One of Nelms’ first efforts at Mayo was to get 20,000 employees to switch to a dual recognition system, which uses frequently changing pass codes. He encountered disbelief at first. “A lot of the response was, ‘We live in a cornfield in the middle of Minnesota,’” he said. “’Who wants to hurt us? Who can even find us here?’”

Health care companies should be spending at least 10 percent of their information technology budgets on security, says Lisa Gallagher, a cybersecurity expert at HIMSS — and up to 40 percent for companies that are just getting started, says Michael Garvin of Symantec.

Yet that isn’t feasible for everyone; the industry-wide average is about 3 percent.

“It’s one thing if you’re a Mayo Clinic or a Kaiser or an Aetna and another to be a small to medium hospital chain struggling with low profit margins,” says Nelms. “Where do you start? And this is not a one-time expense.”

Security experts are rushing into the gap, offering consulting services for companies that don’t want to build their own security teams.

Firms like Symantec and Northrop Grumman have new or beefed-up health care divisions, and boutique consulting firms are popping up like dandelions to service an industry that lags 20 years behind finance and defense.

There’s also a booming market in health care for privacy officers, whose jobs may include cybersecurity as well as legal compliance. The International Association of Privacy Professionals, launched barely a decade ago, is growing at 25 percent a year and has 20,000 members.

Some academic medical centers that became aware of the risks years ago already spend millions on staff, technology and consultants. Bonnie Siegel, an attorney who does headhunting for cyber experts for the healthcare industry, knows of a cancer center with 34 cyber staff.

These professionals, many coming from the banking and military sectors, find a seller’s market in health care, Siegel said.

“Top health care security positions used to average $135,000-$175,000, but the salary is now typically in the $200,000-$225,000 range, and I know people earning $300,000,” she said.

There’s a growing awareness among hospital officials that the hundreds of devices they use — the crash carts, insulin pumps, heart monitors and other machines integral to daily care — are really computers connected to a network, and entirely hackable, said Anthony Coronado, biomedical engineering manager at Renovo Solutions in California.

The episode of Showtime’s “Homeland” TV drama in which a terrorist in a basement remotely turns off a senator’s pacemaker has never occurred, but “it’s only a matter of time before it does,” said James Carder of cyber firm LogRhythm.

“There’s not a single solution that would stop the adversary we face,” said Nelms. “What we can do is use some techniques to protect critical information.”